The lifecycle of a cyber security incident can be broken up into three stages: investigation, remediation and notifications/disclosures, the latter often being the most complex, time consuming and costly. Disclosure challenges are compounded due to breach notification laws that require initial statements before the investigation is completed and the incident is fully contained. They can also stem from improper interpretation of digital forensics findings.
While the first two stages of a cyber security incident can greatly benefit from the involvement of skilled and technical incident responders, notifications and disclosures following a data breach, in particular when forensic facts are still unknown, require assistance from experienced forensic investigators, skilled engagement managers and legal counsel (preferrable specializing in cyber security law) to prepare factual and confident initial disclosures that satisfy legal mandates while minimizing future liabilities and contradictions.
This makes it imperative that from the start, cyber investigations are structured with the right mix of technical and legal expertise to minimize the costliest stage of a cyber incident.
An Increasingly Intricate Web of Enforcement
The complexity of data breach and cyber incident disclosures is magnified when organizations operate across multiple jurisdictions, each with different disclosure requirements and timelines. In the U.S. for example, state attorneys general and several consumer protection agencies (e.g., FTC, FCC, SEC, etc.) impose different data privacy breach disclosure requirements with varying thresholds and reporting timelines. Internationally, several countries have enacted heavy federal, state and territory data breach laws with mandatory reporting requirements of varying degrees. Two recent examples highlight this complexity:
- An incident Kroll investigated in a regional telecommunications company received inquiries from the FCC, the FTC and multiple state attorneys general
- A client in the hospitality industry had a cyber incident that received inquiries from several U.S. states and federal agencies as well as the UK, Italian and Australian data privacy regulators
In addition to potential fines for noncompliance with breach notification requirements, organizations could face class action lawsuits following cyber security incidents for making misstatements or hypothetical disclosures about the impact of such incidents. Morrison Foerster reported a massive 270% increase in data breaches in 2020, leading to 25 class action suits filed as a result of serious cyber security incidents.
As data privacy laws continue to expand, establishing methods, procedures and communication strategies for dealing with data privacy breaches can significantly reduce penalties, future litigations and negative public attention.
Minimizing Risks Related to Careless Disclosures
With over 2700 cyber security investigations conducted in 2020 across multiple industry verticals, Kroll is at the forefront of data breach investigations, working with top cyber and privacy counsel to help clients navigate the entire lifecycle of an incident and refine their defensible security narrative. We approach every cyber investigation with consideration for potential financial, legal and reputational risks that may emerge from cyber incidents. This begins by working with seasoned legal counsel at the onset of every cyber investigation, but it’s further enhanced by ensuring digital forensic evidence is collected and preserved in accordance with legal constraints and disclosures are only made based on concrete facts.
Technical expertise alone is often not enough to answer questions such as “what happened?,” “was personal information exposed?” or “was there unauthorized access and did they exfiltrate data?” That is why our experienced cyber security incident response teams are led by highly skilled engagement managers (for example, from large global enterprises, former law enforcement, prosecutors, or cyber security attorneys) with extensive experience testifying in a court of law in support of civil and criminal cases. Our engagement managers are proficient at interpreting and presenting case findings in the most factual way possible to help outside counsel determine the impact of applicable laws and disclosure mandates.
Representative Incident – Misrepresenting Unauthorized Access in Ransomware Investigations
With ransomware attacks now exfiltrating data, counsel relies on digital forensics experts to uncover whether there was unauthorized access to sensitive data, which may constitute a notifiable data breach. Ransomware groups often look to gain access to the network and then run reconnaissance to decide what data to exfiltrate.
What seems like a small distinction could have significant repercussions to the impacted organization, potentially leading to costly regulatory and public disclosures in addition to reputational damages.
Language as a Cyber Security Skill
With the number and severity of data breaches increasing and data privacy laws becoming stricter, organizations should develop communication strategies that provide timely, accurate, and controlled cyber incident disclosures. Therefore, engaging effective cybercrime investigators that leverage language as a powerful skill, partnered with experienced legal counsel can significantly reduce post-incident risks associated with incompetent disclosures and public distrust. We owe it to our clients to exercise the right language when faced with uncertainty and wield it in defense of stronger security.